配置PIX Failover------基于LAN的Failover

在同一个子网内。如下例年示：

failover ip address inside 10.1.1.2
failover ip address outside 192.168.1.2
failover ip address intf2 192.168.2.2
failover ip address intf3 192.168.3.2
failover ip address 4th 172.16.1.2

　　配置后，再show failover的输出如下：

show failover
Failover On
Cable status: Other side powered off
Reconnect timeout 0:00:00
Poll frequency 15 seconds
This host: primary - Active
Active time: 510 (sec)
Interface 4th (172.16.1.1): Normal (Waiting)
Interface intf3 (192.168.3.1): Normal (Waiting)
Interface intf2 (192.168.2.1): Normal (Waiting)
Interface outside (192.168.1.1): Normal (Waiting)
Interface inside (10.1.1.1): Normal (Waiting)
Other host: secondary - Standby
Active time: 0 (sec)
Interface 4th (172.16.1.2): Unknown (Waiting)
Interface intf3 (192.168.3.2): Unknown (Waiting)
Interface intf2 (192.168.2.2): Unknown (Waiting)
Interface outside (192.168.1.2): Unknown (Waiting)
Interface inside (10.1.1.2): Unknown (Waiting)

　　第十二步　将用于LAN Fairover的接口接入网络，然后在主PIX上配置：

no failover
failover lan unit primary
failover lan interface intf3
failover lan key 1234567
failover lan enable
failover

　　第十三步　如果要配置Stateful Failover,使用failover link命令来定义要使用哪一个接口来传输状态信息，在本例中使用4th，命令如下：

　　failover link 4th

　　第十四步　启用Stateful Failover,show failover命令的输出如下：

show failover

Failover On
Cable status: Unknown
Reconnect timeout 0:00:00
Poll frequency 15 seconds
This host: primary - Active
Active time: 510 (sec)
Interface 4th (172.16.1.1): Normal (Waiting)
Interface intf2 (192.168.2.1): Normal (Waiting)
Interface outside (192.168.1.1): Normal (Waiting)
Interface inside (10.1.1.1): Normal (Waiting)
Other host: secondary - Standby
Active time: 0 (sec)
Interface 4th (172.16.1.2): Unknown (Waiting)
Interface intf2 (192.168.2.2): Unknown (Waiting)
Interface outside (192.168.1.2): Unknown (Waiting)
Interface inside (10.1.1.2): Unknown (Waiting)
Stateful Failover Logical Update Statistics
Link : 4th
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
xlate 0 0 0 0
tcp conn 0 0 0 0
udp conn 0 0 0 0
ARP tbl 0 0 0 0
RIP Tbl 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0
Lan Based Failover is Active
Interface intf3 (192.168.3.1): Normal, peer (192.168.3.2) Unknown

　　在"Stateful Failover Logical Update Statistics"一段中的各部分的意义如下：

Stateful Obj-PIX　stateful对象 xmit-传送到另一台设备的包数量 xerr-在传送过程中出现的错误包的数量 rcv-收以的包数量 rerr-收到的错误包的数量

　　每一行的状态对象定义如下:

General-所有的状态对象汇总 sys cmd-系统命令，例LOGIN和Stay Alive up time-启用时间 xlate-转换信息 tcp conn-CTCP连接信息 udp conn-动态UDP连接信息 ARP tbl-动态ARP表信息 RIF Tbl-动态路由表信息

　　第十五步　如果需要将轮询时间改得小于15秒，以保证正常工作，可以使用Failover poll seconds命令，缺省值为15秒，最小3秒，最大15秒。将轮询时间改小，会更快的检测到失效，但也也由于临时的拥塞和导致不必要的切换。

　　第十六步 在不接用于Fairover电缆的情况下打开备用pix电源，然后进行如下配置：

nameif ethernet3 intf3 security40
interface ethernet3 100full
ip address intf3 192.168.3.1 255.255.255.0
failover ip address intf3 192.168.3.2
failover lan unit secondary <--optional
failover lan interface intf3
failover lan key 1234567
failover lan enable
failover
wr mem
reload

　　第十七步　备用PIX启动后，将它上面用于做Failover的接口接入网络，然后使用show Failover命令验证Failover状态：

show failover

Failover On
Cable status: Unknown
Reconnect timeout 0:00:00
Poll frequency 15 seconds
This host: primary - Active
Active time: 510 (sec)
Interface 4th (172.16.1.1): Norml
Interface intf2 (192.168.2.1): Normal
Interface outside (192.168.1.1): Normal
Interface inside (10.1.1.1): Normal
Other host: secondary - Standby
Active time: 0 (sec)
Interface 4th (172.16.1.2): Normal
Interface intf2 (192.168.2.2): Normal
Interface outside (192.168.1.2): Normal
Interface inside (10.1.1.2): Normal
Stateful Failover Logical Update Statistics
Link : 4th
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
xlate 0 0 0 0
tcp conn 0 0 0 0
udp conn 0 0 0 0
ARP tbl 0 0 0 0
RIP Tbl 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0
Lan Based Failover is Active
Interface intf3 (192.168.3.1): Normal, peer (192.168.3.2) Normal